1.1 --- a/MoinMoin/apps/frontend/views.py Wed Jul 11 11:35:45 2012 +0300
1.2 +++ b/MoinMoin/apps/frontend/views.py Fri Jul 13 19:43:23 2012 +0300
1.3 @@ -1296,16 +1296,10 @@
1.4 )
1.5
1.6
1.7 -def _logout():
1.8 - for key in ['user.itemid', 'user.trusted', 'user.auth_method', 'user.auth_attribs', ]:
1.9 - if key in session:
1.10 - del session[key]
1.11 -
1.12 -
1.13 @frontend.route('/+logout')
1.14 def logout():
1.15 flash(_("You are now logged out."), "info")
1.16 - _logout()
1.17 + flaskg.user.logout_session()
1.18 return redirect(url_for('.show_root'))
1.19
1.20
1.21 @@ -1470,8 +1464,7 @@
1.22 # send verification mail
1.23 is_ok, msg = flaskg.user.mail_email_verification()
1.24 if is_ok:
1.25 - _logout()
1.26 - flaskg.user.save()
1.27 + flaskg.user.logout_session()
1.28 response['flash'].append((_('Your account has been disabled because you changed your email address. Please see the email we sent to your address to reactivate it.'), "info"))
1.29 response['redirect'] = url_for('.show_root')
1.30 else:
2.1 --- a/MoinMoin/auth/__init__.py Wed Jul 11 11:35:45 2012 +0300
2.2 +++ b/MoinMoin/auth/__init__.py Fri Jul 13 19:43:23 2012 +0300
2.3 @@ -444,6 +444,9 @@
2.4 trusted=trusted)
2.5 if userobj.valid and not userobj.validate_session(session_token):
2.6 logging.debug("session token doesn't validate")
2.7 + # Destroy current session since it's no longer valid.
2.8 + userobj.logout_session(False)
2.9 + # We didn't find user in session data.
2.10 userobj = None
2.11 logging.debug("session started for user {0!r}".format(userobj))
2.12 return userobj
3.1 --- a/MoinMoin/user.py Wed Jul 11 11:35:45 2012 +0300
3.2 +++ b/MoinMoin/user.py Fri Jul 13 19:43:23 2012 +0300
3.3 @@ -662,6 +662,15 @@
3.4
3.5 # Sessions ---------------------------------------------------
3.6
3.7 + def logout_session(self, all_browsers=True):
3.8 + """ Terminate session in all browsers unless all_browsers is set to False """
3.9 + if all_browsers:
3.10 + self.generate_session_token(False)
3.11 +
3.12 + for key in ['user.itemid', 'user.trusted', 'user.auth_method', 'user.auth_attribs', 'user.session_token', ]:
3.13 + if key in session:
3.14 + del session[key]
3.15 +
3.16 def generate_session_token(self, save=True):
3.17 """ Generate new session token and key pair. Used to validate sessions. """
3.18 key, token = generate_token()
3.19 @@ -681,7 +690,8 @@
3.20
3.21 def validate_session(self, token):
3.22 """ Check if the session token is valid. """
3.23 - return valid_token(self.profile[SESSION_KEY], token)
3.24 + # Ignore timeout, it's already handled by session cookie and session key should never timeout.
3.25 + return valid_token(self.profile[SESSION_KEY], token, None)
3.26
3.27 # Account verification / Password recovery -------------------------------
3.28
4.1 --- a/MoinMoin/util/crypto.py Wed Jul 11 11:35:45 2012 +0300
4.2 +++ b/MoinMoin/util/crypto.py Fri Jul 13 19:43:23 2012 +0300
4.3 @@ -194,6 +194,7 @@
4.4
4.5 :param key: give the secret key to verify the token
4.6 :param token: the token to verify
4.7 + :param timeout: timeout seconds, set to None to ignore timeout
4.8 :rtype: bool
4.9 :returns: token is valid and not timed out
4.10 """
4.11 @@ -204,7 +205,7 @@
4.12 stamp = int(parts[0])
4.13 except ValueError:
4.14 return False
4.15 - if stamp + timeout < time.time():
4.16 + if timeout and stamp + timeout < time.time():
4.17 return False
4.18 expected_token = generate_token(key, stamp)[1]
4.19 return token == expected_token